Riddle me this is a misc challenge that was part of the 2022 Jade CTF. For this one, we had to solve 200 math equations, send to us by a discord bot, in a very short time.

Solution

Writing a script to solve the equations with pyautogui:

#!/usr/bin/env python3
from time import sleep
import pyautogui
import pyperclip

i = 0
while True:
    i += 1
    print(f"Run {i}: ", end="")
    pyautogui.click(466, 950)
    pyautogui.dragTo(1661, 951, 0.3, button='left')

    pyautogui.hotkey('ctrl', 'c')

    data = pyperclip.paste()

    if any(c.isalpha() for c in data):
        print(data)
        exit(0)

    data = data.replace("/", "//")
    msg = round(eval(data))
    pyperclip.copy(str(msg))

    print(data.strip(), "=", msg)

    pyautogui.click(405, 1008)
    pyautogui.hotkey('ctrl', 'v')
    pyautogui.press('enter')

    sleep(1.5)

To find the X and Y coordinates for the mouse click and dragTo functions:

python -c 'import pyautogui; print(pyautogui.position())'

We used pyperclip to copy and paste the data from the discord app to the script and vice versa.

In case the bot sends us a message that is not a math equation, we just print it and exit the script.

Example equation:

304 * 550 / 2094 - 4367

The Challenge description said that integer division is used, so we had to replace the / with //.

To solve the equations, we used eval. This is not the best way, but it worked for us.

The final step was to find a sweet spot for the sleep function:

  • too low, the bot would not have enough time to send us the next equation
  • too high, the bot would not send us a new equation because we were too slow

Output

Discord app: startend

Terminal:

$ ./gui_solve.py
Run 1: 1251 - 495 // 1430 // 4059 + 246 - 2916 // 3142 * 3536 = 1497
Run 2: 3946 = 3946
Run 3: 1353 * 2480 // 3413 * 1 // 451 - 4170 % 2437 * 3444 = -5968450


Run 198: 470 * 3625 + 977 % 611 + 4175 = 1708291
Run 199: 2898 + 3939 % 1005 * 3920 + 825 // 3908 % 1554 - 4139 + 4321 
% 2357 = 3622803
Run 200: 301 * 459 + 525 * 3720 // 4211 = 138622
Run 201: Congrats! Here's your flag: jadeCTF{GUI_aut0mat10n_1s_ez!}

Flag

The flag is “jadeCTF{GUI_aut0mat10n_1s_ez!}”.